yunsip | 739c3e20b49d0de8b3c1472e3559a1818d3599afef223f31e1d86f2106c5210d

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-11-2022 16:16

Target

739c3e20b49d0de8b3c1472e3559a1818d3599afef223f31e1d86f2106c5210d.dll
Size

679KB
MD5

0ba88b28a3603f1702e4cf2db0aca8d0
SHA1

2d1846b8889ce9195cfcb1568a4626f763ca346e
SHA256

739c3e20b49d0de8b3c1472e3559a1818d3599afef223f31e1d86f2106c5210d
SHA512

43e426afe17e0b9527a5296f252db966e81efb089c54c082c703a9f7bd57373cedbe0350e362b1d1223bf22c192390384c38a0a1da810719176052449be30583
SSDEEP

3072:o6pU5Y1DXnbMn7Uzkop61/dAzV2O3XwTBftrm2YedGf3QKZDQ:o6C5AXbMn7UI1FoV2gwTBlrIckPm

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1472	112	rundll32.exe	27
PID 112 wrote to memory of 1472	112	rundll32.exe	27
PID 112 wrote to memory of 1472	112	rundll32.exe	27
PID 112 wrote to memory of 1472	112	rundll32.exe	27
PID 112 wrote to memory of 1472	112	rundll32.exe	27
PID 112 wrote to memory of 1472	112	rundll32.exe	27
PID 112 wrote to memory of 1472	112	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\739c3e20b49d0de8b3c1472e3559a1818d3599afef223f31e1d86f2106c5210d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\739c3e20b49d0de8b3c1472e3559a1818d3599afef223f31e1d86f2106c5210d.dll,#1
  2⤵
  PID:1472

memory/1472-55-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download